Student Travel Romania

Personal Data Protection Policy

PREAMBLE

STUDENT TRAVEL ROMANIA SRL (hereinafter referred to as STR) is committed to maintaining the confidentiality of personal data obtained in the course of its activities and to complying with all applicable laws and regulations regarding the processing of such data (“Personal Data”), including sensitive data (“Sensitive Data”). This includes, but is not limited to, Romanian Law no. 677 of November 21, 2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data, the EU Data Protection Directive 95/46/EC, and the General Data Protection Regulation (“GDPR”) 2016/679.

STR has adopted a General Data Protection Policy Framework that establishes appropriate technical and organizational measures to prevent unauthorized or unlawful processing of personal data, as well as accidental loss, destruction, or damage.

Questions regarding applicable legislation or procedures involving the collection or use of specific types of personal data may be addressed to the Data Protection Officer (DPO), who is responsible for overseeing compliance with this General Data Protection Policy Framework.

STR reserves the right to update this Policy at any time without prior notice, in order to ensure compliance with the highest applicable standards.

ARTICLE I – DEFINITIONS

The following terms and expressions, when capitalized, shall have the meanings set forth below:

“Article 29 Working Party”: consists of representatives of the data protection authority from each EU Member State, the European Data Protection Supervisor, and the European Commission. The group acts independently as an advisory body.
“STR Steering Committee”: a special committee dedicated to data protection, composed of STR management representatives and the DPO.
“STR Employee”: any STR staff member, including managers, project managers, staff in operational roles, interns, and both permanent or temporary collaborators acting as sole traders.
“Data Controller”: any natural or legal person, public or private authority, institution, or body which determines the purposes and means of personal data processing, or which is designated as such by law.
“Data Processor”: any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.
“Data Protection Authority”: the National Supervisory Authority for Personal Data Processing (ANSPDCP), the official administrative authority responsible for personal data protection in Romania. The term includes any successor to ANSPDCP.
“Data Protection Officer (DPO)”: the person responsible for global oversight of compliance with Data Protection Policies through a network of Data Protection Ambassadors.
“Personal Data”: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data, online identifier, or one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
“Processing”: any operation performed on personal data, with or without automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
“Regulated Jurisdiction”: EU and EEA Member States, including Switzerland (transfers of personal data to Switzerland do not require ANSPDCP authorization).
“Data Subject in Regulated Jurisdiction”: any individual residing in a Regulated Jurisdiction at the time their personal data is collected.
“Special Data”: data defined in Article 9 of the GDPR.
“Third Party”: any natural or legal person, public authority, agency, or body other than the Data Subject, the Data Controller, the Data Processor, and persons authorized to process personal data under their direct authority.

ARTICLE II – PURPOSE

The purpose of this General Data Protection Policy Framework is to define the key rules for ensuring the highest level of personal data protection within STR, guiding STR’s approach to data protection programs and compliance with applicable data protection regulations.

ARTICLE III – SCOPE

Territorial Scope
This Policy applies to the processing of personal data collected in Romania, whether or not processing takes place in Romania.

Material Scope
This Policy applies to all data processing activities carried out by STR.

It covers all categories of personal data processed by STR during its activities, including data collected from clients, prospective clients, visitors, STR employees, job applicants, agents, suppliers, and other third parties. Both automated and manual processing are covered.

ARTICLE IV – PROCESSING PRINCIPLES

STR ensures that the processing of personal data complies with applicable law and this Policy, in particular with the following minimum rules:

Privacy by Design and by Default: data protection impact assessments must be performed by STR for any data processing operations.
Fair and lawful processing: personal data must be obtained fairly and lawfully, with the Data Subject’s right to information respected (except where exceptions apply by law). Processing must rely on valid legal grounds such as consent, contract performance, legal obligation, vital interest, public task, or legitimate interest.
Purpose limitation: data must be collected for specific, explicit, and legitimate purposes and not processed further in ways incompatible with those purposes.
Data minimization: collection must be adequate, relevant, and not excessive for the intended purposes.
Storage limitation: data must not be retained longer than necessary, unless otherwise required by law.
Accuracy: data must be accurate and kept up to date. Data Subjects must be able to exercise rights of access, rectification, and objection.
Security: technical and organizational safeguards must be in place to prevent unauthorized access, alteration, destruction, or loss of personal data.
Transparency and accountability: STR must demonstrate compliance with GDPR and maintain appropriate records.

Sensitive Data: processing is prohibited except under explicit conditions (e.g., explicit consent, legal obligations, vital interests, non-profit organizational processing, public disclosure by the Data Subject, legal claims, or health care provision by professionals bound by confidentiality).

Subcontracting: STR may only use subcontractors offering adequate technical and organizational measures. Contracts must specify processing only under STR’s instructions.

International Data Transfers: transfers outside the EU/EEA must rely on approved mechanisms (Standard Contractual Clauses, Binding Corporate Rules, adequacy decisions, or other safeguards). No transfer may occur without such protections.

ARTICLE V – DATA SUBJECT RIGHTS

In line with GDPR, Data Subjects have the right to be informed at the time of collection about:

the identity and contact details of the controller;
contact details of the DPO;
processing purposes and legal basis;
legitimate interests pursued;
recipients of the data;
data retention period;
rights of access, rectification, erasure, restriction, objection, and portability;
the right to withdraw consent at any time;
the right to lodge a complaint with the supervisory authority;
whether providing data is mandatory and consequences of refusal.

Consent must be freely given, specific, informed, and unambiguous, demonstrated by a clear affirmative act. Silence, pre-ticked boxes, or inactivity are not valid consent.

ARTICLE VI – IMPLEMENTATION ACTIONS

Training: STR commits to ongoing training programs for employees handling personal data.
Compliance Program: STR maintains a GDPR compliance program, overseen by the DPO and the STR Steering Committee.
Monitoring: DPO supervises compliance, advises on impact assessments, cooperates with authorities, and acts as the main contact for supervisory bodies.

ARTICLE VII – COMPLAINTS

Data Subjects may file complaints with STR’s DPO or with the competent Data Protection Authority. Complaints must be investigated within one (1) month, unless otherwise justified.

ARTICLE VIII – COOPERATION WITH AUTHORITIES

STR cooperates with the ANSPDCP and other authorities by providing staff support, responding to inquiries, and applying recommendations. The DPO acts as the main contact.

ARTICLE IX – EFFECTIVE DATE

This Policy entered into force on May 25, 2018, for an indefinite period.

ARTICLE X – IMPLEMENTATION, BREACH NOTIFICATION, REVIEW, REPORTING

Breach Notification: security breaches must be reported to the DPO immediately and, where required, to the supervisory authority within 72 hours. If high risks exist for Data Subjects, they must also be notified without undue delay.
Review: the DPO ensures periodic reviews and updates.
Reporting: STR reports data breaches, audits, and communications with authorities to its management and DPO.